Datatilsynet (Denmark) - 2021-7329-0052: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 66: Line 66:


=== Facts ===
=== Facts ===
The controller – Boligportal – was an online platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the US.
The controller – Boligportal – was an online housing platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the U.S.


The data subject claimed that their personal data were unlawfully transferred to the US in connection with their visit to the controller’s website. Transfer was unlawful as it did not rely on any legal basis, having the CJEU invalidated the EU Commission’s adequacy decision in the Schrems II judgement. The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to the US. However, given Meta’s terms and conditions and commercial practices and the principle of accountability enshrined in [[Article 5 GDPR#2|Article 5(2) GDPR]], it was up to the controller to show that data were not transferred to third countries in the present case.  
The data subject claimed that their personal data were unlawfully transferred to the U.S. in connection with their visit to the controller’s website. According to the data subject, the data transfer was unlawful as it did not rely on any legal basis, after the CJEU invalidated the EU Commission’s adequacy decision in the "Schrems II" judgement ([https://curia.europa.eu/juris/document/document.jsf;jsessionid=1E2806A6F5A04246B927BC7E69809FA8?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=14533665 C-311/18]). The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to Meta Platforms Inc. in the US rather than only to Meta Ireland Ldt. However, given Meta’s terms and conditions (which contain provisions on data transfers), its commercial practices and the principle of accountability enshrined in [[Article 5 GDPR#2|Article 5(2) GDPR]], it was up to the controller to show that data were not transferred to third countries in the present case.  


The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. What occurred afterwards between Meta Ireland and Meta Platforms Inc. did not concern the controller.
The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. The controller argued that any processing activities taking place between Meta Ireland and Meta Platforms Inc. in the U.S.  were not their concern and outside of their control.


=== Holding ===
=== Holding ===
At the outset, the Danish DPA stated it did not have the means to ascertain whether data transfer to the US effectively took place. Therefore, it did not provide a clear answer to this part of the complaint and suggested that a court should adjudicate on the matter.
At the outset, the Danish DPA stated it did not have the means to ascertain whether data transfer to the U.S. effectively took place. Therefore, it did not provide a clear answer to this part of the complaint and suggested that a court was in a better position to adjudicate on the matter.


However, by embedding Meta plug-ins on its website, Boligportal contributed to the determination of purposes and means of the processing and thus became co-controller with Meta Ireland. According to the Danish DPA, [[Article 26 GDPR]] implies that co-controllers jointly ensure compliance with the GDPR and must jointly be able to demonstrate it. Such a compliance concerns also [[Article 44 GDPR]], even if only one of the controllers performs data transfers to a third country.
However, by embedding Meta plug-ins on its website, Boligportal contributed to the determination of purposes and means of the processing and thus became joint controller with Meta Ireland. According to the Danish DPA, [[Article 26 GDPR]] implies that joint controllers have to cooperate to ensure compliance with the GDPR and must jointly be able to demonstrate it. Such a compliance concerns also Article 44 GDPR, even if only one of the controllers performs data transfers to a third country.


In the Danish DPA’s view, the principle of accountability enshrined in [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]] imposed on the controller an obligation to demonstrate that the sharing of personal data with the Meta Ireland was GDPR compliant. In other words, the fact that the controller did not know whether data were transferred to the US by Meta Ireland, far from being a justification, showed that the controller disregarded its responsibilities.  
In the Danish DPA’s view, the principle of accountability enshrined in [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]] imposed on the controller an obligation to demonstrate that the sharing of personal data with Meta Ireland was compliant with the GDPR. In other words, the fact that the controller claimed to have no knowledge whether data were transferred to the US by Meta Ireland showed that the controller disregarded its responsibilities under the GDPR.


In light of the above, the Danish DPA seriously reprimanded the controller and ordered it to bring its processing activities in compliance with [[Article 25 GDPR|Articles 25]], [[Article 5 GDPR|5]] and [[Article 24 GDPR|24 GDPR]]. In particular, the controller shall be able to demonstrate compliance with such provisions.
In light of the above, the Danish DPA reprimanded the controller and ordered it to bring its processing activities in compliance with [[Article 25 GDPR|Article 25]], [[Article 5 GDPR|5]] and [[Article 24 GDPR|24 GDPR]]. within a month. In particular, the controller should ensue to be able to ''demonstrate'' compliance with its obligations under the GDPR.


== Comment ==
== Comment ==
''Share your comments here!''
The complaint was part of [https://noyb.eu/en/101-complaints-eu-us-transfers-filed ''noyb''’s “101 complaints”]on unlawful EU-U.S. data transfers in the wake of the “Schrems II” judgment. The Danish DPA’s view that it would require a court to asses if the data subject’s personal data had indeed been transferred to the U.S. is very puzzling in light of the ample investigative powers vested in the European DPAs under [[Article 58 GDPR|Article 58(1) GDPR]]. Several other DPAs (such as the Austrian, French or Italian DPA) had no problems establishing that a data transfer indeed took place. Without having established the existence of a data transfer, the Danish DPA consequently found no violation of [[Article 44 GDPR]] – again contrary to many of its European counterparts.


== Further Resources ==
== Further Resources ==

Revision as of 09:58, 24 May 2023

Datatilsynet - 2021-7329-0052
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 26 GDPR
Article 44 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.04.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2021-7329-0052
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Datatilysinet (Denmark) (in EN)
Initial Contributor: mg

The Danish DPA reprimanded a controller for sharing personal data with Meta Ireland without prior ascertaining that the latter complied with the GDPR when transferring data to Meta Platforms in the US.

English Summary

Facts

The controller – Boligportal – was an online housing platform using “Facebook Connect” tools, including “Facebook Login” and “Facebook Pixel”. In making use of these tools, the controller transferred personal data to the U.S.

The data subject claimed that their personal data were unlawfully transferred to the U.S. in connection with their visit to the controller’s website. According to the data subject, the data transfer was unlawful as it did not rely on any legal basis, after the CJEU invalidated the EU Commission’s adequacy decision in the "Schrems II" judgement (C-311/18). The data subject acknowledged that they did not have the technical resources to demonstrate that their personal data were effectively transferred to Meta Platforms Inc. in the US rather than only to Meta Ireland Ldt. However, given Meta’s terms and conditions (which contain provisions on data transfers), its commercial practices and the principle of accountability enshrined in Article 5(2) GDPR, it was up to the controller to show that data were not transferred to third countries in the present case.

The controller claimed that personal data were not transferred to the US, but only to Meta Ireland. The controller argued that any processing activities taking place between Meta Ireland and Meta Platforms Inc. in the U.S.  were not their concern and outside of their control.

Holding

At the outset, the Danish DPA stated it did not have the means to ascertain whether data transfer to the U.S. effectively took place. Therefore, it did not provide a clear answer to this part of the complaint and suggested that a court was in a better position to adjudicate on the matter.

However, by embedding Meta plug-ins on its website, Boligportal contributed to the determination of purposes and means of the processing and thus became joint controller with Meta Ireland. According to the Danish DPA, Article 26 GDPR implies that joint controllers have to cooperate to ensure compliance with the GDPR and must jointly be able to demonstrate it. Such a compliance concerns also Article 44 GDPR, even if only one of the controllers performs data transfers to a third country.

In the Danish DPA’s view, the principle of accountability enshrined in Articles 5(2) and 24 GDPR imposed on the controller an obligation to demonstrate that the sharing of personal data with Meta Ireland was compliant with the GDPR. In other words, the fact that the controller claimed to have no knowledge whether data were transferred to the US by Meta Ireland showed that the controller disregarded its responsibilities under the GDPR.

In light of the above, the Danish DPA reprimanded the controller and ordered it to bring its processing activities in compliance with Article 25, 5 and 24 GDPR. within a month. In particular, the controller should ensue to be able to demonstrate compliance with its obligations under the GDPR.

Comment

The complaint was part of noyb’s “101 complaints”on unlawful EU-U.S. data transfers in the wake of the “Schrems II” judgment. The Danish DPA’s view that it would require a court to asses if the data subject’s personal data had indeed been transferred to the U.S. is very puzzling in light of the ample investigative powers vested in the European DPAs under Article 58(1) GDPR. Several other DPAs (such as the Austrian, French or Italian DPA) had no problems establishing that a data transfer indeed took place. Without having established the existence of a data transfer, the Danish DPA consequently found no violation of Article 44 GDPR – again contrary to many of its European counterparts.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

NOYB - European Center for Digital Rights
                                                                                                      20 April 2023
Goldschlagstrasse 172/4/3/2 1140 Wien
                                                                                                      J.No. 2021-7329-0052
                                                                                                      Doc.no. 571264

                                                                                                      Caseworker












Complaint concerning the processing of personal data                                                  The Danish Data
                                                                                                      Protection Agency

The Danish Data Protection Agency (“Danish DPA”) hereby returns to the case where the                 Carl Jacobsens Vej 35
organisation None of Your Business on behalf of                (“the complainant”) on 17 August       2500 Valby
                                                                                                      Denmark
2020 has filed a complaint with the Danish DPA that BoligPortal A/S (“BoligPortal”) has trans-        T 3319 3200
ferred personal data of the complainant to the United States in connection with the complain-
                                                                                                      dt@data ilsynet.dk
ant’s visit to BoligPortal’s website on 12 August 2020.                                               datatilsynet.dk

                                                                                                      VAT No. 11883729
Firstly, the Danish DPA notes that the supervisory authority by this decision has only consid-

ered BoligPortal’s processing of personal data through its use of “Facebook Business Tools”.
As such, the Danish DPA has not considered the company’s potential processing of personal

data using other third-party tools.


Secondly, the Danish DPA notes that the supervisory authority by this decision has only con-

sidered Boligportal’s processing of personal data of the complainant through the use of Face-
book Business Tools. As such, the decision does not take a position on neither Meta Platforms

Ireland Limited (formerly Facebook Ireland Limited, hereinafter Meta Ireland) nor Meta Plat-
forms, Inc. (formerly Facebook, Inc., hereinafter Meta Platforms) processing of personal data.


Finally, the Danish DPA notes that since the complaint was filed, Boligportal has provided

additional documentation to demonstrate that the processing has been carried out in accord-

ance with the General Data Protection Regulation. Additionally, Meta Ireland has changed the
terms under which the company provides its Facebook Business Tools.


On this basis, the Danish DPA has by this decision firstly assessed whether the processing of

personal data of the complainant on 12 August 2020 occurred in compliance with the General
Data Protection Regulation, and secondly, whether Boligportal’s current processing of per-

sonal data of website visitors complies with the General Data Protection Regulation.


1. Decision and order

Upon reviewing the case, the Danish DPA finds that there are grounds for seriously repri-
manding Boligportal for not demonstrating that its processing of personal data of the com-

plainant on 12 August 2020 was carried out in compliance with the General Data ProtectionRegulation (“GDPR”) and for not demonstrating that its current processing of personal data              Page 2 of 26

of website visitors takes place in compliance with Article 26 GDPR pursuant to Articles 5(1)(a),
5(2), and 24(1) GDPR.



Firstly, the Danish DPA considers that the supervisory authority cannot adopt a decision spe-
cifically on Boligportal’s possible transfer of personal data of the complainant to the United

States as there is disagreement between the parties as to whether personal data of the com-
plainant was in fact transferred to the United States.


However, the fact that the Danish DPA cannot decide on the possible transfer of personal data

of the complainant to the United States gives the supervisory authority rise to assess whether
Boligportal has complied with its obligations under the GDPR, in particular its obligation to

demonstrate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1).


In this regard, the Danish DPA considers that – at the time of the complainant’s visit to Bolig-
portal’s website on 12 August 2020 – there has been an insufficient allocation of roles and

responsibilities between Boligportal and Meta Ireland in light of the processing of personal data
that occurred.


Considering the processing activity and the purposes for which Boligportal, per its own sub-

mission as detailed in section 3.3 below, has processed the complainant’s personal data, the

parties must be considered as joint controllers for the processing of personal data of the com-
plainant.


In view of this, and considering that at the time of the complainant’s visit to Boligportal’swebsite

there was no arrangement pursuant to Article 26 GDPR in place which in a transparent manner
determined the parties’ respective responsibilities for compliance with the GDPR, the Danish

DPA finds that Boligportal has not demonstrated that its processing of personal data of the
complainant was carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a),

5(2), and 24(1).


Additionally, the Danish DPA finds that it is unclear from the current arrangement concluded
between Boligportal and Meta Ireland as joint controllers pursuant to Article 26 GDPR whether

personal data of website visitors is processed by means located outside the EU/EEA and
where, including, if applicable, by the use of processors outside the EU/EEA in the context of

processing activities under the parties’ joint controllership and, consequently, which party is

responsible for ensuring compliance with Article 44 GDPR.


As such, the Danish DPA considers that Boligportal has not, in general, demonstrated that its
current processing of personal data takes place in compliance with Articles 26 GDPR pursuant

to Articles 5(1)(a), 5(2), and 24(1) GDPR, as Boligportal has not fully identified whether per-
sonal data of visitors to its website is processed by means located outside the EU/EEA and

where including, if applicable, by the use of processors outside the EU/EEA, in the context of
the processing activities for which the Boligportal and Meta Ireland are joint controllers.


On this basis, the Danish DPA orders Boligportal to bring its processing of personal data into

compliance with Articles 5(1)(a), 5(2), 24(1) and 26 GDPR and to be able to demonstrate com-
pliance with these provisions.





1  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation).                                                                                                      Page 3 of 26

Boligportal shall comply with the order no later than 18 May 2023. The Danish DPA requests
confirmation and documentation that the order has been complied with no later than the same

date.


In the view of the Danish DPA, this order may inter alia be complied with by clarifying the
allocation of roles and responsibilities between Boligportal and Meta Ireland, so that it is ap-

parent from the arrangement between the parties whether personal data of website visitors in
the context of the joint controllership is processed by means located outside the EU/EEA in-

cluding, if applicable, by the use of processors outside the EU/EEA and, consequently, how
Article 44 GDPR is complied with as well as which party must ensure compliance with that

provision. Alternatively, compliance with the order may be done by ceasing the processing
activity in question.


The Danish DPA notes that the above-mentioned suggested solutions are not exclusive and

do not constitute the only options for how Boligportal may comply with the order. As the con-
troller, Boligportal has full freedom of choice in accordance with Articles 5(2) and 24(1) GDPR

as to how it demonstrates its compliance with the GDPR.


This order is notified pursuant to Article 58(2)(d) GDPR.


According to Section 41(2)(4) of the Danish Data Protection Act, a fine or imprisonment of up
to 6 months shall be imposed on persons who fail to comply with an order issued by the Danish

DPA pursuant to Article 58(2)(d) GDPR.


Below is a detailed examination of the case and a statement of reasons for the Danish DPA’s
decision.


2. Facts of the case

On 12 August 2020, the complainant visited Boligportal’s website. During the visit, the com-
plainant was logged into her account on Facebook which is a social media platform operated
by Meta Ireland.



Boligportal has embedded “Facebook Connect” tools on its website which are the subject of
the complaint. The Danish DPA understands that “Facebook Connect” refers to several tools
provided by Meta Ireland, in particular “Facebook Login” and “Facebook Pixel”.


The tools are provided by Meta Ireland to website operators under the terms “Facebook Busi-

ness Tools Terms” and “Facebook Data Processing Terms”. Since the complainant’s visit to
Boligportal’s website on 12 August 2020, the terms have been updated on 31 August 2020.


2.1. Meta Ireland’s Terms

Meta Ireland’s “Facebook Business Terms” of 26 December 2019, which were in force at the
time of complainant’s visit to Boligportal’s website inter alia state the following:


       “The Facebook Business Tools are a subset of Facebook Products that we provide to help
       website owners and publishers, developers, advertisers, business partners (and their cus-
       tomers) and others integrate, use and exchange information with Facebook. The Face-
       book Business Tools include APIs and SDKs, the Facebook Pixel, social plugins such as
       the Like and Share buttons, Facebook Login and Account Kit, as well as other platform
       integrations, plugins, code, specifications, documentation, technology and services. By
       clicking “Accept” or using any of the Facebook Business Tools, you agree to the following:

       1. Sharing Personal Data with Facebooka.   You may use the Facebook Business Tools to send personal data to us about your                     Page 4 of 26
     customers and users (“Customer Data”). Depending on the Facebook Products you
     use, Customer Data may include:

         i.    “Contact Information” consists of information that personally identifies indi-
               viduals, such as names, email addresses, and phone numbers that we use
               for matching purposes only. We will hash Contact Information that you send

               to us via a Facebook javascript pixel for matching purposes prior to trans-
               mission. When using a Facebook image pixel or other Facebook Business
               Tools, you or your service provider must hash Contact Information in a man-
               ner specified by us before transmission.

        ii.    “Event Data” includes other information you share about your customers

               and the actions they take on your websites and apps or in your stores, such
               as visits to your sites, installations of your apps, and purchases of your
               products.


[...]


2. Use of Customer Data

a.   We will use Customer Data for the purposes depending on which Facebook Company
     Products you choose to use:

         i.    Contact Information for Matching
                      1. You instruct us to process the Contact Information solely to match

                        the Contact Information against Facebook’s or Instagram's user
                        IDs (“Matched User IDs”), as well as to combine those user IDs
                        with corresponding Event Data. We will delete Contact Infor-
                        mation following the match process.

        ii.    Event Data for Measurement and Analytics Services

                      1. You instruct us to process Event Data (a) to prepare reports on
                        your behalf on the impact of your advertising campaigns and other
                        online content (“Campaign Reports”) and (b) to generate analytics
                        and insights about your customers and their use of your apps,
                        websites, products and services (“Analytics”).
                      2. We grant to you a non-exclusive and non-transferable license to
                        use the Campaign Reports and Analytics for your internal busi-

                        ness purposes only and solely on an aggregated and anonymous
                        basis for measurement purposes. You will not disclose the Cam-
                        paign Reports or Analytics, or any portion thereof, to any third
                        party, unless otherwise agreed to in writing by us. We will not dis-
                        close the Campaign Reports or Analytics, or any portion thereof,
                        to any third party without your permission, unless (i) they have
                        been combined with Campaigns Reports and Analytics from nu-

                        merous other third parties and (ii) your identifying information is
                        removed from the combined Campaign Reports and Analytics.

       iii.    Event Data to Create Targetable Audiences
                      1. We may process the Event Data to create audiences (including
                        Website Custom Audiences, Mobile App Custom Audiences and

                        Offline Custom Audiences) that are grouped together by common
                        Event Data, which you may use to target ad campaigns. In our
                        sole discretion, we may also allow you to share these audiences
                        with other advertisers.

       iv.     Event Data to Deliver Commercial and Transactional Messages
                      1. We may use the Matched User IDs and associated Event Data to

                        help you to reach people with transactional and other commercial
                        messages on Messenger and other Facebook Company Prod-
                        ucts.

        v.     Event Data to Personalize Features and Content and to Improve and
               Secure the Facebook Products
                      1. We use Event Data to personalize the features and content (in-

                        cluding ads and recommendations) we show people on and off
                        our Facebook Company Products. In connection with ad targeting
                        and delivery optimization, we will: (i) use your Event Data for de-
                        livery optimization only after aggregating such Event Data with
                        other data collected from other advertisers or otherwise collected
                        on Facebook Products; and (ii) not allow other advertisers or third
                        parties to target advertising solely on the basis of your Event Data.                              2. We may also use Event Data to promote safety and security on                  Page 5 of 26
                                and off the Facebook Company Products, for research and devel-
                                opment purposes, and to maintain the integrity of and to improve
                                the Facebook Company Products.

        [...]


        4. A note to EU and Swiss data controllers

             a.  To the extent the Customer Data contain personal data which you process sub-
                 ject to the General Data Protection Regulation (Regulation (EU) 2016/679) (the
                 “GDPR”), the parties acknowledge and agree that for purposes of providing

                 matching, measurement, and analytics services described in Paragraphs 2.a.i
                 and 2.a.ii above, that you are the data controller in respect of such personal data,
                 and you have instructed Facebook Ireland Limited to process such personal data
                 on your behalf as your data processor pursuant to these terms and Facebook’s
                 Data Processing Terms, which are incorporated herein by reference. “Personal
                 data,” “data controller,” and “data processor” in this paragraph have the mean-

                 ings set out in the Data Processing Terms.”


Meta Ireland’s “Data Processing Terms” (undated), which are incorporated into Meta Ireland’s
terms by reference inter alia state the following:


        “2. You agree that Facebook may subcontract its data processing obligations under these

        Data Processing Terms to a subprocessor, but only by way of a written agreement with
        the sub-processor which imposes obligations on the sub-processor no less onerous than
        as are imposed on Facebook under these Data Processing Terms. Where the sub-pro-
        cessor fails to fulfil such obligations, Facebook shall remain fully liable to you for the per-
        formance of that sub-processor’s obligations. You hereby authorize Facebook to engage
        Facebook Inc. (and other Facebook Companies) as its sub-processor(s). Facebook shall

        notify you of any additional sub-processor(s) in advance. If you reasonably object to such
        additional sub-processor(s), you may inform Facebook in writing of the reasons for your
        objections. If you object to such additional subprocessor(s), you should stop using the
        Services and providing data to Facebook.”


Meta Ireland’s “Facebook Business Terms” of 31 August 2020 , which are the latest applicable

terms inter alia state the following:


        “When you use the Facebook Business Tools to send us or otherwise enable the collection
        of Business Tool Data (as defined in Section 1 below), these terms govern the use of that
        data.

        Background: Ad Products and other Business Tools

        We may receive Business Tool Data as a result of your use of Facebook ad products, in
        connection with advertising, matching, measurement and analytics. Those ad products
        include, but are not limited to, Facebook Pixel, Conversions API (formerly known as
        Server-Side API), Facebook SDK for App Events, Offline Conversions, App Events API
        and Offline Events API. We also receive Business Tools Data in the form of impression
        data sent by Facebook Social Plugins (for example the Like and Share buttons) and Fa-

        cebook Login, and data from certain APIs such as Messenger Customer Match via the
        Send API. Facebook may also offer pilot, test, alpha, or beta programs from time to time
        through which you may provide Business Tool Data. Uses of Business Tools Data are
        described below.

        By clicking "Accept" or using any of the Facebook Business Tools, you agree to the fol-

        lowing:

            1.   Sharing Business Tool Data with Facebook

                      a.   You may use the Facebook Business Tools to send us one or both of
                           the following types of personal information (“Business Tool Data”) for

                           the purposes described in Section 2:

                                 i.  “Contact Information” is information that personally identifies
                                     individuals, such as names, email addresses, and phone
                                     numbers, that we use for matching purposes only. We will





2  Printed by the complainant on 10 August 2020 from https://www.facebook.com/legal/terms/dataprocessing
3  https://www.facebook.com/legal/terms/businesstools                             hash Contact Information that you send to us via a Facebook               Page 6 of 26
                             JavaScript pixel for matching purposes prior to transmission.
                             When using a Facebook image pixel or other Facebook Busi-
                             ness Tools, you or your service provider must hash Contact
                             Information in a manner specified by us before transmission.
                         ii. “Event Data” is other information that you share about people
                             and the actions that they take on your websites and apps or

                             in your shops, such as visits to your sites, installations of your
                             apps, and purchases of your products. While Event Data
                             does include information collected and transferred when peo-
                             ple access a website or app with Facebook Login or Social
                             Plugins (e.g. the Like button), it does not include information
                             created when an individual interacts with our platform via Fa-

                             cebook Login, Social Plugins, or otherwise (e.g. by logging
                             in, or liking or sharing an article or song). Information created
                             when an individual interacts with our platform via Facebook
                             Login, Social Plugins, or otherwise is governed by the Plat-
                             form Terms.
                        iii. Note: for purposes of these Business Tool Terms, references
                             in existing terms or agreements to “Customer Data” will now

                             mean “Business Tool Data.”

[...]

     2.   Use of Business Tool Data

              a.   We will use Business Tool Data for the following purposes depending

                   on which Facebook Business Tools you choose to use:

                         i.  Contact Information for Matching
                                  1.   You instruct us to process the Contact Information
                                       solely to match the Contact Information against
                                       user IDs (“Matched User IDs”), as well as to com-

                                       bine those user IDs with corresponding Event Data.
                                       We will delete Contact Information following the
                                       match process.

                         ii. Event Data for Measurement and Analytics Services
                                  1.   You may instruct us to process Event Data (a) to
                                       prepare reports on your behalf on the impact of

                                       your advertising campaigns and other online con-
                                       tent (“Campaign Reports”) and (b) to generate an-
                                       alytics and insights about people and their use of
                                       your apps, websites, products and services (“Ana-
                                       lytics”).
                                  2.   We grant to you a non-exclusive and non-transfer-
                                       able license to use the Campaign Reports and An-

                                       alytics for your internal business purposes only and
                                       solely on an aggregated and anonymous basis for
                                       measurement purposes. You will not disclose the
                                       Campaign Reports or Analytics, or any portion
                                       thereof, to any third party, unless otherwise agreed
                                       to in writing by us. We will not disclose the Cam-

                                       paign Reports or Analytics, or any portion thereof,
                                       to any third party without your permission, unless (i)
                                       they have been combined with Campaigns Reports
                                       and Analytics from numerous other third parties
                                       and (ii) your identifying information is removed from
                                       the combined Campaign Reports and Analytics.


                        iii. Event Data for Targeting Your Ads
                                  1.   You may provide Event Data to target your ad cam-
                                       paigns to people who interact with your business.
                                       You may direct us to create custom audiences,
                                       which are groups of Facebook users based on
                                       Event Data, to target ad campaigns (includingWeb-
                                       site Custom Audiences, Mobile App Custom Audi-

                                       ences, and Offline Custom Audiences). Facebook
                                       will process Event Data to create such audiences
                                       for you. You may not sell or transfer these audi-
                                       ences, or authorize any third party to sell or transfer
                                       these audiences. Facebook will not provide such
                                       audiences to other advertisers unless you or your
                                       service providers share audiences with other ad-

                                       vertisers through tools we make available for that                                      purpose, subject to the restrictions and require-              Page 7 of 26
                                      ments of those tools and our terms.
                                 2.   These terms apply to the use of Website Custom
                                      Audiences, Mobile App Custom Audiences, and Of-
                                      fline Custom Audiences created through Face-
                                      book's Business Tools. Customer List Custom Au-
                                      diences provided through our separate custom au-

                                      dience feature are subject to the Customer List
                                      Custom Audience Terms.

                        iv. Event Data to Deliver Commercial and Transactional
                            Messages
                                 1.   We may use the Matched User IDs and associated

                                      Event Data to help you reach people with transac-
                                      tional and other commercial messages on Messen-
                                      ger and other Facebook Company Products.

                        v.  Event Data to Improve Ad Delivery, Personalise Features
                            and Content and to Improve and Secure the Facebook
                            Products

                                 1.   You may provide Event Data to improve ad target-
                                      ing and delivery optimization of your ad campaigns.
                                      We may correlate that Event Data to people who
                                      use Facebook Company Products to support the
                                      objectives of your ad campaign, improve the effec-
                                      tiveness of ad delivery models, and determine the
                                      relevance of ads to people. We may use Event

                                      Data to personalize the features and content (in-
                                      cluding ads and recommendations) that we show
                                      people on and off our Facebook Company Prod-
                                      ucts. In connection with ad targeting and delivery
                                      optimization, we will: (i) use your Event Data for de-
                                      livery optimization only after aggregating such

                                      Event Data with other data collected from other ad-
                                      vertisers or otherwise collected on Facebook Prod-
                                      ucts; and (ii) not allow other advertisers or third par-
                                      ties to target advertising solely on the basis of your
                                      Event Data.
                                 2.   To improve the experience for people who use Fa-
                                      cebook Company Products, we may also use Event

                                      Data to promote safety and security on and off the
                                      Facebook Company Products, for research and de-
                                      velopment purposes and to maintain the integrity of
                                      and to improve the Facebook Company Products.

[...]


     5.  Additional Terms for Processing of Personal Information

       a.  To the extent the Business Tool Data contain Personal Information which you
           Process subject to the General Data Protection Regulation (Regulation (EU)
           2016/679) (the “GDPR”), the following terms apply:


                         i. The parties acknowledge and agree that you are the Control-
                            ler in respect of the Processing of Personal Information in
                            Business Tool Data for purposes of providing matching,
                            measurement and analytics services described in Sections
                            2.a.i and 2.a.ii above (e.g. to provide you with Analytics and
                            Campaign Reports), and that you instruct Facebook Ireland
                            Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2

                            Ireland (“Facebook Ireland”) to Process such Personal Infor-
                            mation for those purposes on your behalf as your Processor
                            pursuant to these Business Tools Terms and Facebook’s
                            Data Processing Terms. The Data Processing Terms are ex-
                            pressly incorporated herein by reference and apply between
                            you and Facebook Ireland together with these Business
                            Tools Terms.


                        ii. Regarding Personal Information in Event Data referring to
                            people’s actions on your websites and apps which integrate
                            Facebook Business Tools for whose Processing you and Fa-
                            cebook Ireland jointly determine the means and purposes,
                            you and Facebook Ireland acknowledge and agree to be
                            Joint Controllers in accordance with Article 26 GDPR. The

                            joint controllership extends to the collection of such Personal                                     Information via the Facebook Business Tools and its subse-               Page 8 of 26
                                     quent transmission to Facebook Ireland in order to be used
                                     for the purposes set out above under Sections 2.a.iii to
                                     2.a.v.1 (“Joint Processing”). For further information, click
                                     here. The Joint Processing is subject to the Controller Ad-
                                     dendum, which is expressly incorporated herein by reference
                                     and applies between you and Facebook Ireland together with
                                     these Business Tools Terms. Facebook Ireland remains an

                                     independent Controller in accordance with Article 4(7) GDPR
                                     for any Processing of such data that takes place after it has
                                     been transmitted to Facebook Ireland.

                                iii. You, as the case may be, and Facebook Ireland remain in-
                                     dependent Controllers in accordance with Article 4(7) GDPR
                                     for any Processing of Personal Information in Business Tool

                                     Data under GDPR not subject to Sections 5.a.i and 5.a.ii.”

                                                                 4
Meta Ireland’s “Controller Addendum” of 31 August 2020 , which are incorporated into Meta
Ireland’s terms by reference inter alia state the following:


        “This Controller Addendum applies when it is expressly incorporated by reference into
        terms for Facebook Products, such as the Facebook Business Tools Terms (any such

        terms, “Applicable Product Terms”, any covered Facebook Products, “Applicable Prod-
        ucts”). Capitalized terms used but not defined in this Controller Addendum have the mean-
        ings given in the Applicable Product Terms. In the event of any conflict between the Ap-
        plicable Product Terms and this Controller Addendum, this Controller Addendum will gov-
        ern solely to the extent of the conflict.

        Facebook and you agree to the following:


                Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin
                 2, Ireland ("Facebook Ireland" or “we”) and you (each a “Party”, together the

                 “Parties”) are Joint Controllers in accordance with Article 26 GDPR for the Joint
                 Processing specified by the Applicable Product Terms. The scope of the Joint
                 Processing and this Controller Addendum covers the collection of the Personal
                 Data specified by the Applicable Product Terms and its transmission to Face-
                 book Ireland; the subsequent processing of data by Facebook Ireland does not
                 form part of the Joint Processing. More information on the Joint Processing can
                 be found in the Applicable Product Terms.

                This Controller Addendum determines Facebook Ireland's and your responsibil-
                 ities for compliance with the obligations under the GDPR with regard to the Joint
                 Processing. The Joint Processing is subject to the provisions of this Controller
                 Addendum. They apply to all activities in which the Parties, their employees or
                 their Processors are involved in the Joint Processing.

                You agree to follow the available documentation regarding the correct technical
                 implementation of the Applicable Products into your websites or apps and their
                 configuration.
                Facebook Ireland's and your responsibilities for compliance with the obligations

                 under the GDPR with regard to the Joint Processing are determined as follows:

           No,     Obligation under     Facebook Ireland        You

           no.     GDPR
           1       Article 6: Require-  X (regarding Face-      X (regarding your own processing)
                   ment of legal ba-    book Ireland’s pro-
                   sis for Joint Pro-   cessing)
                   cessing
           2       Articles   13,14:                            X
                   Providing   infor-

                   mation on Joint                              This includes as a minimum the provi-
                   Processing      of                           sion of the following information in ad-
                   Personal Data                                dition to your standard data policy or
                                                                similar document:
                                                                That Facebook Ireland is a Joint Con-
                                                                troller of the Joint Processing and that
                                                                the information required by Article

                                                                13(1)(a) and (b) GDPR can be found in
                                                                Facebook Ireland’s Data Policy at




4  https://www.facebook.com/legal/controller addendum                                                    https://www.facebook.com/about/pri-           Page 9 of 26
                                                    vacy.

                                                    The information that you use Applica-
                                                    ble Products as well as the purposes
                                                    for which the collection and transmis-

                                                    sion of Personal Data that constitutes
                                                    the Joint Processing takes place as set
                                                    out in the Applicable Product Terms.

                                                    That further information on how Face-
                                                    book Ireland processes Personal Data,
                                                    including the legal basis Facebook Ire-

                                                    land relies on and the ways to exercise
                                                    Data Subject rights against Facebook
                                                    Ireland, can be found in Facebook Ire-
                                                    land’s Data Policy at https://www.face-
                                                    book.com/about/privacy.
                                                    (please see Applicable Product Terms
                                                    for further information on the Joint Pro-

                                                    cessing)

3      Article     26(2):                           X
       Making available
       the essence of                               This includes as a minimum the provi-
       this Controller Ad-                          sion of the following information:

       dendum
                                                    That you and Facebook Ireland have:

                                                    entered into this Controller Addendum
                                                    to determine the respective responsibil-
                                                    ities for compliance with the obligations
                                                    under the GDPR with regard to the

                                                    Joint Processing (as specified in the
                                                    Applicable Product Terms);

                                                    agreed that you are responsible for
                                                    providing Data Subjects as a minimum
                                                    with the information listed under no. 2;


                                                    agreed that between the Parties, Face-
                                                    book Ireland is responsible for enabling
                                                    Data Subjects’ rights under Articles 15-
                                                    20 of the GDPR with regard to the Per-
                                                    sonal Data stored by Facebook Ireland
                                                    after the Joint Processing.


4      Articles    15-20:   X
       Rights of the Data
       Subject with re-
       gard to the Per-
       sonal Data stored

       by Facebook after
       the   Joint   Pro-
       cessing

5      Article 21: Right    X (regarding Face-      X
       to object insofar    book Ireland’s pro-     (regarding your own processing)
       as the Joint Pro-    cessing)

       cessing is based
       on Article 6(1)(f)

6      Article 32: Secu-    X (regarding the se-    X
       rity of the Joint    curity of the Applica-  (regarding the correct technical imple-
       Processing           ble Products)           mentation and configuration of the Ap-

                                                    plicable Products)

7      Articles 33, 34:     X (insofar as a Per-    X (insofar as a Personal Data Breach
       Personal     Data    sonal Data Breach       concerns your obligations under this
       Breaches      con-   concerns    Facebook    Controller Addendum)
       cerning the Joint    Ireland’s bond under

       Processing           this Controller Adden-
                            dum)                                                                                                        Page 10 of 26

               All other responsibilities for compliance with obligations under the GDPR regard-
                ing the Joint Processing remain with each Party individually. [...]


In clause 5.a.ii of its “Facebook Business Tools” terms, Meta Ireland refers to further infor-
        5
mation. This information provides an overview of the personal data collected and transmitted
to Meta Ireland as part of the processing activity for which the parties are joint controllers.


This overview shows inter alia that the tools Facebook Login and Facebook Pixel collect infor-

mation about “http header information, which include information about the web browser or
app used (e.g. user agent, locale country-level/language)” and “online identifiers including IP

addresses and, insofar as provided, FB-related identifiers or device identifiers (such as mobile
OS advertising IDs) as well as information on opt-out/limited ad tracking status”.


2.2. Complainant’s submissions

In general, the complainant has stated that in connection with her visit to Boligportal’s website,

Boligportal has processed information about her IP address and information collected through
cookies and transferred (some of) this information to Meta Platforms in the United States.


To support this, the complainant has submitted technical documentation for her visit to Bolig-

portal’s website on 12 August 2020.


Additionally, the complainant has stated that the transfer is unlawful as the Court of Justice of
the European Union (“CJEU”) in its so-called Schrems II-decision invalidated the European

Commission’s adequacy decision concerning the United States (more specifically US organi-
sations certified under the Privacy Shield-scheme). Therefore, there is no transfer basis for

transfers to the United States pursuant to Article 45 GDPR.


Furthermore, the complainant has stated that the transfer cannot take place on the basis of

standard contractual clauses pursuant to Article 46(2)(c) and (d) GDPR if an essentially equiv-
alent level of data protection cannot be ensured by the SCCs in the third country to which the

data are transferred.


In this regard, the complainant has stated that Meta Platforms is considered an electronic
communications service provider and is thus covered by Section 702 of the Foreign Intelli-

gence Surveillance Act (FISA 702). According to the CJEU, transfer of personal data to com-
panies that are subject to FISA 702 constitutes an infringement of Articles 7 and 8 and the

essence of Article 47 of the Charter of Fundamental Rights of the European Union. Finally, the

complainant refers to the fact that Meta Platforms inter alia according to its own Transparency
Report actively discloses personal data to U.S. authorities under FISA 702.


In summary, the complainant argues that Boligportal cannot ensure an essentially equivalent

level of data protection for personal data of the complainant that is transferred to Meta Plat-
forms.


With regard to the allocation of roles and responsibilities between Boligportal and Meta Ireland,

the complainant has generally stated that Boligportal has entered into a contract with Meta







5  Under clause 5.2.ii Meta Ireland refers to the following website: https://www.facebook.com/legal/terms/busi-
nesstools jointprocessing
6  Judgment of the Court of Justice of the European Union of 16 July 2020 in Case C-311/18, Schrems II.Ireland under which Meta Ireland acts as a processor on behalf of Boligportal and that Bolig-         Page 11 of 26

portal has authorised the use of Meta Platforms as subprocessor for Boligportal. The com-
plainant refers to clause 4 of the Facebook Business Tools Terms of 26 December 2019 and

clause 1.4 of the Facebook Data Processing Terms. The complainant also refers to point 4 of
the Facebook Business Tool Terms of 31 August 2020.


The complainant has stated that Boligportal cannot accept Meta Ireland’s standard terms and

at the same time claim in good faith that no personal data is transferred to the United States.
These transfers were the subject of the case in the judgment of the Irish Supreme Court “Data

Protection Commission — v. Facebook and Schrems, No.2016 4809P”, which led to the judg-
ment of the CJEU in the Schrems II-decision. As such, there is a presumption that Meta Ireland
transfers personal data to Meta Platforms in the United States. In the complainant’s view,

Boligportal must – pursuant the provisions on accountability in Articles 5(2) and 24(1) GDPR
– be able to prove that, despite the existing contractual relationship and the technical arrange-

ment of Meta’s platform, no personal data is transferred to the United States.


To the extent that Meta Ireland cannot be considered a processor for Boligportal, the com-
plainant has further stated that Meta Ireland and Boligportal are joint controllers for the pro-

cessing of personal data. The parties have made a joint decision on the purposes and means
of the processing of personal data by embedding Meta Ireland’s tools on Boligportal’s website

which include transfers of personal data to the United States.


Finally, the complainant submits that according to the principle of accountability in Articles 5(2)
and 24 GDPR, it is for the controller to demonstrate that the processing of personal data is

carried out in compliance with data protection law.


The complainant states in this regard that she does not have the technical means of providing
certain proof that the transfer has actually taken place as Meta Ireland is unlikely to provide

the complainant with the necessary access to demonstrate this. However, according to the
complainant, Boligportal is as the controller required to demonstrate that personal data of the

complainant are not transferred to Meta Platforms, in particular in view of the publicly known
fact that Meta Ireland uses Meta Platforms’ infrastructure. It is insufficient to submit that the

complainant must demonstrate that her personal data has been transferred to the United
States and it is insufficient to refer to the fact that the IP addresses to which the data were

transferred are registered to Meta Ireland.

2.3. Boligportal’s comments

Boligportal has generally stated that, according to the technical information immediately avail-
able to the company, it did not transfer personal data of the complainant to the United States

using the tools provided by Meta Ireland.


Boligportal has stated that, on the basis of an examination of the documentation submitted by
the complainant, it is the company’s view that the complainant has visited the front page of

Boligportal’s website, that the complainant has not used her Facebook account to create a
profile on Boligportal’s website, and that the complainant has not searched for housing or

leases on the website.


Additionally, Boligportal has stated that in the abovementioned documentation the company
has identified three scripts which were loaded from the domain “connect.facebook.com” and

that those scripts were loaded from the IP address                . From these three scripts, a
pixel is loaded from the facebook.com domain which is retrieved from the IP address                                                                                                          Page 12 of 26

Boligportal has further stated that by looking up the IP addresses in the Réseaux IP Européens
                                              7
Network Coordination Centre (RIPE NCC) , Boligportal finds that the two IP addresses form
part of a pool of IP addresses registered to “Facebook Ireland Ltd” and that the IP addresses

belong to “IE”, that is to say, Ireland. Boligportal submits that the company has no reason to
assume that the same should not have been the case on 12 August 2020 when the complain-

ant visited the website.


Boligportal has also stated that by embedding the scripts and pixels in question, Boligportal
has accepted the standard terms of use of those scripts. However, Boligportal’s assessment

is that the provisions governing the transfer to third countries are irrelevant to the complaint as

Boligportal has neither transferred nor contributed to the transfer of personal data of the com-
plainant to the United States. Personal data appear to only have been transmitted to Ireland.


As regards the allocation of roles and responsibilities between Boligportal and Meta Ireland,

Boligportal has generally stated that none of the services for which Boligportal has used the
tools from Meta Ireland entail that Meta Ireland has been a processor for Boligportal, including

for the processing of personal data of the complainant in connection with the complainant’s
visit to Boligportal’s website on 12 August 2020.


Boligportal has stated that the company subsequently made a general update of its privacy

policy on 19 February 2021 clarifying the correct context. It follows from the updated privacy

policy that there is joint controllership for the given processing of personal data which does not
involve the transfer of personal data to third countries.


Boligportal has further stated that Meta Ireland’s terms cover a wide variety of Meta Ireland’s

services and that Boligportal uses Meta Ireland’s tools for limited activities. None of the ser-
vices for which Boligportal has used Meta Ireland’s tools entail that Meta Ireland is a processor

for Boligportal.


Boligportal has also stated that the company is not aware of whether there is a transfer of
personal data between Meta Ireland and Meta Platforms, but this is also irrelevant as – under

Chapter V GDPR – Boligportal’s controllership and liability ends upon the company’s trans-

mission of personal data to Meta Ireland as an independent controller.


Boligportal has stated that there has been no evidence to support that the company had trans-
ferred personal data to the United States and that the facts of a 2016 case from the Irish Data

Protection Commission are not relevant to the present case.


Finally, on the limits of joint controllership with Meta Ireland, Boligportal has stated the follow-
ing:


       “[Boligportal] collects information on both its own and Facebook Ireland Ltd’s behalf, and
       subsequently [Boligportal] and Facebook Ireland Ltd. are each controllers for the respec-
       tive further use of the personal data. This is also stated in [Boligportal’s] privacy policy at
       […] under point “Social media” ([Boligportal’s emphasis):

               “For some of our partners, we have a joint controllership, i.e. Boligportal

               collects information on both our own behalf and a partner’s. Subsequently,
               Boligportal and the partners are each a controller for the respective
               further use of the data. Below you can see with which partners we are
               joint controllers and how the responsibility is allocated.




7  RIPE NCC is the Regional Internet Register (RIR) for Europe. A RIR is an organisation that handles the assignment and
registration of, inter alia, IP addresses within a specific region. There are a total of five regional registers.                                                                                                         Page 13 of 26
        Login using your Facebook profile on Boligportal

        Facebook Ireland, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2,
        Ireland. You can read about


                 data processing here – Facebook Login, which is Event Data in
                  section  2.a.ii  and   section 5.a.ii   on   joint  controllership:
                  https://www.facebook.com/legal/terms/businesstools
                 allocation of responsibilities here: https://www.facebook.com/le-
                  gal/controller_addendum
                 information   about   Facebook’s     privacy   information   here:

                  https://www.facebook.com/about/privacy including the basis for
                  Facebook’s processing and exercise of rights with Facebook”

Despite [Boligportal’s] unambiguous indication of the allocation of responsibilities, which
has been available on [Boligportal’s] website since the update on 19 February 2021, [the
complainant] writes in the letter of 29 November 2021:


        “... in any case there is a joint controllership of Facebook Ireland Ltd. and
        the respondent. The two companies jointly made the decision on the pur-
        poses and means of data processing by integrating Facebook tools, which
        involve the transfer of data to Facebook Inc. into [Boligportal’s] website.”

This view is contested in relation to the time after the transmission to Facebook Ireland

Ltd. as [Boligportal] is no longer part of the joint controllership where the processing no
longer relates to the use of Facebook Connect as described in the Privacy Policy.

The use of Facebook Connect does not entail a transfer to the United States. The pro-
cessing consists of the collection and transmission of personal data through a cookie and
the execution of scripts from the Facebook domain in Ireland. The function is used solely
to support website visitors’ login options and to enable Facebook Ireland Ltd. to identify

that the complainant has visited the website.

From the EDPB’s Guidance 07/2020 on joint controller follows ([Boligportal’s] highlights):

        “Joint participation can take the form of a common decision taken by two
        or more entities or result from converging decisions by two or more entities,
        where the decisions complement each other and are necessary for the

        processing to take place in such a manner that they have a tangible im-
        pact on the determination of the purposes and means of the processing.
        An important criterion is that the processing would not be possible
        without both parties’ participation in the sense that the processing by
        each party is inseparable, i.e. inextricably linked. The joint participation
        needs to include the determination of purposes on the one hand and the

        determination of means on the other hand.”

As previously mentioned above, [Boligportal] does not exercise any influence over the
processing operations carried out by Facebook Ireland Ltd. as an independent controller
after the transmission from [Boligportal]. Thus, a transfer from Facebook Ireland Ltd. to a
recipient in the United States will be possible without [Boligportal’s] participation in the
determination of the purpose or means.


[Boligportal] further refers to the judgments of the Court of Justice of the European Union
C-210/16 (“Wirtschaftsakademie-decision”) and C-40/17 (“Fashion ID-decision”) as well
as to the Danish DPA’s decision in case 2018-32-0357 (“DMI-decision”).

In its Wirtschaftsakademie-decision, the CJEU clarified in para. 43 that:


        “[...] the existence of joint responsibility does not necessarily imply equal
        responsibility of the various operators involved in the processing of per-
        sonal data. On the contrary, those operators may be involved at different
        stages of that processing of personal data and to different degrees, so that
        the level of responsibility of each of them must be assessed with regard to
        all the relevant circumstances of the particular case.”


In its later Fashion ID-decision, para. 70, the CJEU applied an identical interpretation of
the scope of joint controllership. Furthermore, the CJEU expressly stated in its Fashion
ID-decision, para. 74, that a [legal] person cannot be regarded as a joint controller of pro-
cessing operations carried out by another controller that precede or are subsequent to the
processing operations of that legal person, where he determines neither the purposes nor
means of processing by the other controller. Therefore, in the specific case, the CJEU did

not consider Fashion ID to be the controller in relation to Facebook’s processing of per-
sonal data after it was transferred to Facebook.        The Danish DPA has adopted the same interpretation in its DMI-decision, where, in ac-                    Page 14 of 26
        cordance with the case-law of the CJEU, the Danish DPA stated that it is excluded that
        the joint controllership covers subsequent processing operations for which a company

        does not determine the purpose or means:

                “In view of this, the Danish DPA considers that the processing operations
                for which DMI together with Google can determine the purposes and
                means are the collection and transmission of personal data of visitors to
                dmi.dk. On the other hand, as regards the personal data at issue, it appears
                prima facie impossible for DMI to determine the purposes and means of
                subsequent processing operations relating to personal data by Google af-
                ter their transmission to Google hence DMI cannot be regarded as the con-

                troller for those operations.”

        The [complainant’s] submissions in the letter of 16 March 2021 that [Boligportal] is the
        controller because there is a “chain of processing” directly contradicts the interpretation by
        the CJEU and the Danish DPA of joint controllership and the limits of the responsibilities
        of the actors involved.

        As [Boligportal] has already made clear, [Boligportal] is not aware of whether Facebook
        Ireland Ltd. has transferred personal data to Facebook Inc. in the United States. Conse-
        quently, it is clear that [Boligportal] could not in any way have participated in the determi-

        nation of the purpose or determination of the means in the context of the alleged but still
        unsubstantiated transfer. Therefore, [Boligportal] is not the controller responsible for this
        specific processing, which may involve a transfer to the United States.

        [Boligportal] has not carried out the specific processing to which the complaint relates.
        Thus, should Facebook Ireland Ltd have made the alleged transfer, it is outside the scope
        of [Boligportal’s] controllership within the meaning of Article 26 GDPR since [Boligportal]
        cannot be regarded as a controller for processing operations subsequent to the transmis-
        sion to Facebook Ireland Ltd.


        No documentation has been put forward demonstrating that, following the reception of the
        information by the Irish subsidiary, Facebook has transferred any personal data relating
        to the complainant to the United States through the executed script on [Boligportal]’s web-
        site.

        It can never be detrimental to [Boligportal] that [Boligportal] cannot demonstrate whether
        a subsequent controller (Facebook) has transferred personal data to the United States or
        not. [Boligportal] is simply not responsible for any transfer, nor is it obliged to demonstrate
        anything in this regard against the complainant or the Danish DPA. The question in prin-

        ciple is whether a prior controller is obligated under the GDPR or other legal provisions to
        demonstrate whether a subsequent controller has or has not transferred information about
        a complainant to the United States when the trail for the processing of personal data by
        the prior controller stops in Ireland. That question must necessarily be answered in the
        negative.


3. Reasons for the Danish DPA’s decision
3.1. Is this processing of personal data?

On the basis of the documentation submitted by the complainant, the Danish DPA finds that,

upon the complainant’s visit to Boligportal’s website, information about inter alia the complain-
ant’s IP address, her visit to Boligportal’s website, the time of the visit, and other information

about the complainant’s browser, operating system, etc. as well as information about online
identifiers collected through cookies stored in the complainant’s browser, has been collected

and transmitted.


According to the “Facebook Business Tools Terms” of 26 December 2019 and 31 August 2020,

this information, which is defined as “Event Data”, is used inter alia to create target groups on
Facebook which can be used for targeted marketing, and to personalise features and content

on Facebook.


In its decision of 11 February 2020 in the case 2018-32-0357 concerning the Danish Meteor-

ological Institute’s processing of personal data of website visitors, the Danish DPA held that
such data is considered as personal data when the data makes it possible to single out the

persons in question.Followingly, it is the Danish DPA’s assessment that the information about the complainant in          Page 15 of 26

the present case which is collected and transmitted to Meta Ireland constitutes personal data
of the complainant.


In support of this assessment, the Danish DPA considers that the information relates to the

characteristics and behaviour of the complainant and is used to treat that person in a certain
manner in relation to which functions and content are displayed for the complainant on Face-

book.


3.2. Has personal data about the complainant been transferred to the United States?
The complainant has stated that her personal data has been collected and transferred to Meta
Platforms in the United States as part of her visit to Boligportal’s website.


In this regard, Boligportal has stated that according to the technical information immediately

available to the company, it did not transfer personal data of the complainant to the United
States and that the IP addresses to which the data was transferred upon the complainant’s

visit to Boligportal’s website were registered with Meta Ireland located in Ireland.


The complainant has stated that she does not have the technical means to provide certain
proof that the transfer has actually taken place as Meta Ireland is unlikely to provide the com-

plainant with the necessary access to demonstrate this. However, according to the complain-
ant, Boligportal is – as the controller – required to demonstrate that personal data of the com-

plainant is not transferred to Meta Platforms, in particular in view of the publicly known fact
that Meta Ireland uses Meta Platforms’ infrastructure. In that regard, it is insufficient for Bolig-

portal merely to refer to the fact that the IP addresses to which the complainant’s data have
been transferred are registered with Meta Ireland.


Regarding this, Boligportal has stated that it has only transmitted information to Ireland and

that no evidence has been provided that, following its receipt of the information, Meta Ireland
has transferred the personal data of the complainant to the United States by means of the

executed scripts on Boligportal’s website.


On this basis, the Danish DPA finds that there is disagreement between the parties as to
whether there has been a specific transfer of personal data of the complainant to the United

States.

The Danish DPA notes that the supervisory authority in principle only handles cases on a

written basis. In cases where there is a disagreement between the parties on the facts, the
Danish DPA only takes a position on such disagreement if either position can be supported by

the further material of the case. The final assessment of such evidential issues can be carried
out by the courts, which, unlike the Danish DPA, have the opportunity to clarify factual circum-

stances, including by means of questioning of witnesses.


As a result, the Danish DPA cannot clearly determine whether, in this specific case, personal
data of the complainant has been transferred to third countries and, if so, which countries.

Therefore, the supervisory authority cannot adopt a specific decision concerning Boligportal’s
possible transfer of personal data of the complainant to the United States.


However, the fact that the Danish DPA cannot decide on the possible transfer of personal data

of the complainant to the United States gives the Danish DPA rise to assess whether Bolig-
portal has complied with its obligations under the GDPR, in particular its obligation to demon-

strate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1).                                                                                                        Page 16 of 26

3.3. Roles and responsibilities
The question then arises as to the allocation of roles and responsibilities between Boligportal

and Meta Ireland for the processing of the personal data at issue.


At the time of the complainant’s visit to Boligportal’s website on 12 August 2020
By integrating tools from Meta Ireland on its website, Boligportal has enabled Meta Ireland to

obtain personal data concerning visitors to its website, including the complainant, as this pos-
sibility arises from the moment they visit the website.


In light of this, the Danish DPA considers that it can be established that the processing opera-

tions for which Boligportal together with Meta Ireland jointly determine the purposes and

means of processing are the collection and transmission of personal data concerning visitors
to Boligportal’s website, including the complainant.


In its decision of 11 February 2020 in the case 2018-32-0357 concerning the Danish Meteor-

ological Institute’s processing of personal data of website visitors, the Danish DPA held that
embedding plug-ins on a website, which triggers the collection of personal data, means that

the website operator becomes a joint controller with the provider of the plug-in in question for
the collection and transmission of personal data.


With regard to the means used for the collection and transmission of personal data of visitors

to Boligportal’s website, including the complainant, it is apparent from sections 2 and 2.3 above
that Boligportal has embedded tools from Meta Ireland on its website, which the latter provides

to website operators, and that Boligportal is aware that these tools, in addition to making it
possible to create an account on Boligportal’s website via the visitors’ Facebook account, also

collect and transmit personal data of website visitors, including the complainant, to Meta Ire-
land.


By integrating these tools on its website, Boligportal exerts a decisive influence over the col-

lection and transmission of personal data of visitors to its website, including the complainant,
to Meta Ireland, as this processing would not have occurred had the tools not been integrated
                8
on the website.


On this basis, the Danish DPA finds that Boligportal and Meta Ireland jointly determine the
means used for the collection and transmission of personal data of visitors to Boligportal’s

website, including the complainant.


As for the purposes of the processing of the personal data of the complainant, the Danish DPA
finds that Boligportal’s embedding of the Facebook Login tool takes place inter alia in order to

be able to perform targeted marketing on Facebook.


The Danish DPA notes that Boligportal has stated (as detailed in section 2.3 above) that at the
time of the complainant’s visit to Boligportal’s website, it did not use tools from Meta Ireland

for purposes where Meta Ireland acts as a processor, but rather for purposes where the parties
act as joint controllers. The Danish DPA therefore concludes that Boligportal has used the

tools for one or more of the purposes set out in section 2.a.iii-v of Meta Ireland’s “Facebook
Business Tools Terms” dated 26 December 2019.







8  Judgment of the Court of Justice of the European Union of 29 July 2019 in C-40/17, Fashion ID, paragraph 78.                                                                                                        Page 17 of 26
Followingly, the Danish DPA considers that by integrating these tools on its website, Boligpor-
tal has enabled the collection and transmission of personal data of the complainant as this

processing activity is performed in the economic interest of both Boligportal and Meta Ireland,
whereas the latter’s access to this data for the purpose of evaluating and determining the

preferences and behaviour of the complainant contributes to the efficacy of Meta Ireland’s
advertising platform which also benefits Boligportal in the form of improved marketing oppor-
                       9
tunities on Facebook.


In light of the foregoing, it is the view of the Danish DPA that Boligportal and Meta Ireland
jointly determine the purposes and means for the collection and transmission of personal data

of the complainant and shall be considered as joint controllers for these processing operations.


After Meta Ireland’s update of its Terms on 31 August 2020

As Boligportal has continued to embed the tools of Meta Ireland on Boligportal’s website after
the complainants visit, Boligportal continues to have a decisive influence on the collection and

transmission of personal data of its website visitors to Meta Ireland.


Similarly, Meta Ireland’s update of its terms on 31 August 2020 has not resulted in significant
changes in the purposes for which the personal data is collected and transmitted to Meta Ire-

land via its business partners such as Boligportal. Personal data is thus processed to enable
Boligportal to perform targeted marketing on Facebook as well as the improvement and effi-

cacy of Meta Ireland’s advertising platform.


Consequently, the Danish DPA considers that the processing activity continues to take place

in the economic interest of both Boligportal and Meta Ireland and that Boligportal and Meta
Ireland continue to jointly determine the purposes and means for the collection and transmis-

sion of personal data of visitors to Boligportal’s website. As such, the parties are joint control-
lers for these processing operations.


The Danish DPA has also considered that the terms have been clarified, in particular with

respect to the determination of roles and responsibilities, such that it is now apparent from
clause 5.a.ii of the terms that website operators and Meta Ireland are joint controllers for the

processing of personal data of website visitors on websites where tools from Meta Ireland are

embedded. It follows from the terms that the parties are joint controllers for the collection and
transmission of the personal data to Meta Ireland.


3.4. Who is responsible and for what?

It follows from Article 26(1) GDPR that joint controllers shall determine their respective respon-
sibilities for compliance with the obligations under the GDPR in a transparent manner.


In its Guidelines 7/2020 on controllers and processors, the European Data Protection Board

has elaborated on what this obligation entails in practice:


       “Joint controllers thus need to set “who does what” by deciding between themselves who
       will have to carry out which tasks in order to make sure that the processing complies with
       the applicable obligations under the GDPR in relation to the joint processing at stake. In
       other words, a distribution of responsibilities for compliance is to be made as resulting from
       the use of the term “respective” in Article 26(1). [...]







9  Judgment of the Court of Justice of the European Union of 29 July 2019 in Case C- 40/17 Fashion ID, paragraph 80.
10 European Data Protection Board’s guidelines 7/2020 on the concepts of controller and processor in the GDPR, version 2,
adopted on 7 July 2021, para. 162, 163, 165 & 166.        The objective of these rules is to ensure that where multiple actors are involved, especially
        in complex data processing environments, responsibility for compliance with data protec-              Page 18 of 26

        tion rules is clearly allocated in order to avoid that the protection of personal data is re-
        duced, or that a negative conflict of competence lead to loopholes whereby some obliga-
        tions are not complied with by any of the parties involved in the processing. It should be
        made clear here that all responsibilities have to be allocated according to the factual cir-
        cumstances in order to achieve an operative agreement. The EDPB observes that there
        are situations occurring in which the influence of one joint controller and its factual influ-
        ence complicate the achievement of an agreement. However, those circumstances do not
        negate the joint controllership and cannot serve to exempt either party from its obligations

        under the GDPR. [...]

        However, the use of the terms “in particular” indicates that the obligations subject to the
        allocation of responsibilities for compliance by each party involved as referred in this pro-
        vision are non-exhaustive. It follows that the distribution of the responsibilities for compli-
        ance among joint controllers is not limited to the topics referred in Article 26(1) but extends
        to other controller’s obligations under the GDPR. Indeed, joint controllers need to ensure
        that the whole joint processing fully complies with the GDPR.


        In this perspective, the compliance measures and related obligations joint controllers
        should consider when determining their respective responsibilities, in addition to those
        specifically referred in Article 26(1), include amongst others without limitation:

                Implementation of general data protection principles (Article 5)
                Legal basis of the processing (Article 6)
                Security measures (Article 32)

                Notification of a personal data breach to the supervisory authority and to the data
                 subject (Articles 33 and 34)
                Data Protection Impact Assessments (Articles 35 and 36)
                The use of a processor (Article 28)
                Transfers of data to third countries (Chapter V)
                Organisation of contact with data subjects and supervisory authorities”



In the view of the Danish DPA, two or more parties who are joint controllers must therefore
jointly comply with the obligations of controllers under the GDPR. The parties are jointly re-

sponsible for ensuring that the processing operations in question are carried out in compliance
with data protection law.



As such, Boligportal is, in principle, as (one of) the controller(s) subject to the obligations aris-
ing inter alia from Articles 5-22, 24-28, 30 to 39 and 44 to 49 GDPR.


In this context, the CJEU has clarified that the existence of joint liability does not necessarily

imply equal responsibility of the various operators engaged in the processing of personal data.
On the contrary, those operators may be involved at different stages of that processing of

personal data and to different degrees, with the result that the level of liability of each of them
                                                                                                11
must be assessed with regard to all the relevant circumstances of the particular case.


In other words, joint controllership only covers those processing operations for which the par-
ties jointly determine the purpose(s) and means.



In line with the case-law of the CJEU and the Danish DPA, the Danish DPA considers that
Boligportal – as mentioned above in section 3.2 – is a joint controller for the processing oper-

ations of collection and transmission of personal data of website visitors, including the com-
plainant. Boligportal is therefore not responsible for the processing of personal data carried

out by Meta Ireland after its transmission to the latter as Boligportal does not determine the

purposes and means of that subsequent processing.








11 Judgment of the Court of Justice of the European Union of 29 July 2019 in Case C-40/17 Fashion ID, paragraph 70, as
well as the references therein.However, Boligportal is a joint controller together with Meta Ireland for the collection and trans-     Page 19 of 26

mission of personal data about website visitors, including personal data of the complainant.


In particular, the Danish DPA considers that there are certain obligations which generally fall
on the controller that Boligportal is precluded from observing given the nature of the processing

operations. For example, it would appear to be impossible for Boligportal to comply with the
right of access or the right to rectification since it is solely responsible for the processing of

personal data in the form of collection and transmission and subsequently does not have ac-
cess to the personal data.  12


On the other hand, Boligportal does not appear as precluded from complying – together with

Meta Ireland – with the obligations relating to the transfer of personal data to third countries as
set out in Article 44 GDPR, if and to the extent that personal data is processed by means

located outside the EU/EEA in the context of collection and transmission of that personal data.


In view of the fact that collection and transmission can occur by means located outside the
EU/EEA, it is the Danish DPA’s view that Boligportal is at least jointly responsible for ensuring

compliance with Article 26 GDPR, in particular with regards to the allocation of roles and re-
sponsibilities concerning transfers of personal data to third countries. The Danish DPA places

significant importance on the fact that personal data may as part of these processing opera-
tions be transferred outside the EU/EEA, for instance, if the processing – in this case collection

and transmission – is carried out by processors outside the EU/EEA.


The Danish DPA also considers that these processing operations are only made possible by
the fact that Boligportal has embedded tools from Meta Ireland on its website while being fully

aware that these tools serve as a means of collecting and transmitting personal data of visitors
to Boligportal’s website, including the complainant, to Meta Ireland. By Boligportal’s decision

to embed these tools on its website, Boligportal exerts a decisive influence on how and where
the processing of personal data of website visitors takes place, including, if applicable, whether

the processing may occur by means located outside the EU/EEA.


Specifically, the Danish DPA notes that unlike disclosure of personal data between two indi-
vidual controllers where Boligportal, prior to disclosure, would be obligated, in particular, to (i)

ensure a lawful basis for the disclosure and (ii) comply with its notification obligation under
Articles 13 and 14 GDPR, joint controllership exists for the processing operations of collection

and transmission.


In light of this and having regard to the fact that one of the fundamental objectives of the GDPR
is to ensure effective and complete protection of the fundamental rights and freedoms of nat-

ural persons, in particular the right to privacy and the right to data protection, the Danish DPA
considers that Article 26 GDPR must be understood as an obligation for two or more parties

who are joint controllers for processing of personal data to jointly ensure compliance with the
GDPR and must jointly be able to demonstrate this.


It is thus the Danish DPA’s view that the underlying premise of joint controllership is that the

parties must jointly demonstrate compliance with their obligations as controllers under the
GDPR.








12 Opinion of Advocate General Bobek of 19 December 2018 in Case C-40/17 Fashion ID, paragraphs 83, 135-136.If the parties were individually obligated to ensure compliance with the GDPR, it would, in the         Page 20 of 26

view of the Danish DPA, entail a risk that the data subject would not be guaranteed a full and
effective protection of his or her rights and freedoms as certain obligations could be overlooked

by both parties with the consequence that neither party complies with those obligations.


However, the parties who are joint controllers are not precluded from, taking into account the
specific processing activity, from organising themselves in such a way that inter alia the obli-

gations pursuant to Article 44 is effectively observed by one of the parties. For instance, where
collection and processing of personal data occurs by means located outside the EU/EEA, e.g.

by way of a processor outside of the EU/EEA, the parties may organise themselves so that
Article 44 is effectively observed by the party who has the contractual relationship with that

processor(s). However, where appropriate, this must be made transparent and clear from the
arrangement between the parties under Article 26 GDPR.


3.5. The principle of accountability

The GDPR contains a general principle of accountability in Article 5(2) GDPR. It follows that
the controller is responsible for and must be able to demonstrate inter alia that personal data

is lawfully processed.


The principle of accountability is further developed in Article 24 GDPR, from which it follows
that, depending on the specific processing operation, the controller must take appropriate

measures to ensure and be able to demonstrate that the processing is carried out in accord-
ance with data protection rules.


Further, in its so-called Proximus-decision, the CJEU held that Articles 5(2) and Article 24

GDPR impose general accountability and compliance requirements upon controllers. In par-
ticular, those provisions require controllers to take appropriate measures to prevent possible

infringements of the rules laid down by the GDPR in order to ensure the right to data protec-
tion.13


In the view of the Danish DPA, Articles 5(2) and Article 24 GDPR therefore impose an obliga-

tion on the controller to be able to document and present this documentation, in particular to
the supervisory authority, that the processing of personal data is carried out in compliance with

data protection law.


It is the Danish DPA’s view that Boligportal has not, in connection with its embedding of tools
from Meta Ireland, demonstrated that its processing of personal data of the complainant on 12

August 2020 was lawful, nor has the company demonstrated that its current processing of
personal data of visitors to Boligportal’s website is lawful pursuant to Articles 5(1)(a), 5(2) and

24(1) GDPR.


As regards the processing of personal data of the complainant in connection with her visit to
Boligportal’s website on 12 August 2020, the Danish DPA considers in particular that there

has been an insufficient allocation of roles and responsibilities between Boligportal and Meta
Ireland considering the processing activity and the purposes for which Boligportal, per its own

submission as detailed in section 3.3 above, has processed the complainant’s personal data,
and therefore that Boligportal has not been aware of whether personal data has been pro-

cessed by means located outside the EU/EEA, e.g. by the use of processors outside the
EU/EEA, in the context of processing activities for which the parties are joint controllers.





13 Judgment of the Court of Justice of the European Union of 27 October 2022 in Case C-129/21, Proximus, paragraph 81.                                                                                                      Page 21 of 26

The Danish DPA also considers that Boligportal itself has stated that it is not aware of whether
personal data as part of the collection and transmission to Meta Ireland are processed by

means located outside the EU/EEA, e.g. by the use of processors outside the EU/EEA, and
that it is not apparent from Meta Ireland’s terms and documentation, to which Boligportal has

referred, whether this is the case.


With regard to the processing of personal data of website visitors since Meta Ireland’s update
of its terms on 31 August 2020, the Danish DPA considers, in particular, that it is not apparent

from the current arrangement between Boligportal and Meta Ireland as joint controllers under
Article 26 GDPR whether personal data is processed by means located outside the EU/EEA
and where, including, if applicable, by the use of processors outside the EU/EEA in the context

of processing activities for which the parties are joint controllers and, consequently, which party
is responsible for ensuring compliance with Article 44 GDPR. The Danish DPA also considers

that Boligportal has not taken independent action to clarify these matters in greater detail.


It is the Danish DPA’s fundamental view that a controller cannot demonstrate its compliance
with data protection law when the controller is not fully aware of the facts relevant to its pro-

cessing of personal data.


On the contrary, when processing personal data – whether alone or jointly with others – a
controller must provide the supervisory authority with the necessary and relevant information

on how the processing of personal data, for which the organisation is (co-)responsible, takes
place.


In the view of the Danish DPA, this applies in particular where the controller, by not providing

the necessary information, avoids taking into account and assessing publicly known circum-
stances relevant to the processing activity. In the present case, this includes e.g. the publicly

known fact that Meta Ireland (with which Boligportal is a joint controller), as part of its ordinary
business operations generally processes personal data by means, such as technical infra-

structure, provided by Meta Platforms, Inc. in the United States.


In view of the fact that it is not apparent from the current arrangement between Boligportal and
Meta Ireland as joint controllers under Article 26 GDPR whether the processing for which the

parties are joint controllers takes place by means located outside the EU/EEA and where, and
consequently, which party must, in practice, ensure compliance with Article 44 GDPR, and that
Boligportal has not provided sufficient documentation to the Danish DPA in order to demon-

strate this, the Danish DPA considers that Boligportal has not demonstrated that its processing
of personal data is carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a),

5(2), and 24(1) GDPR.


4. Summary: Decision and order
The Danish DPA finds that there are grounds for seriously reprimanding Boligportal for not

demonstrating that its processing of personal data of the complainant on 12 August 2020 was
carried out in compliance with the GDPR and for not demonstrating that its current processing

of personal data of website visitors takes place in compliance with Article 26 GDPR pursuant
to Articles 5(1)(a), 5(2), and 24(1) GDPR.


Firstly, the Danish DPA considers that the supervisory authority cannot adopt a decision spe-

cifically on Boligportal’s possible transfer of personal data of the complainant to the United
States as there is disagreement between the parties as to whether personal data of the com-

plainant was in fact transferred to the United States.                                                                                                      Page 22 of 26

However, the fact that the Danish DPA cannot decide on the possible transfer of personal data
of the complainant to the United States gives the supervisory authority rise to assess whether

Boligportal has complied with its obligations under the GDPR, in particular its obligation to
demonstrate its compliance with the GDPR under Articles 5(1)(a), 5(2), and 24(1).


In this regard, the Danish DPA considers that – at the time of the complainant’s visit to Bolig-

portal’s website on 12 August 2020 – there has been an insufficient allocation of roles and
responsibilities between Boligportal and Meta Ireland in light of the processing of personal data

that occurred.

Considering the processing activity and the purposes for which Boligportal, per its own sub-

mission as detailed in section 3.3 above, has processed the complainant’s personal data, the
parties must be considered as joint controllers for the processing of personal data of the com-

plainant.


In view of this, and considering that at the time of complainant’s visit to Boligportal’s website
there was no arrangement pursuant to Article 26 GDPR in place which in a transparent manner

determined the parties’ respective responsibilities for compliance with the GDPR, the Danish
DPA finds that Boligportal has not demonstrated that its processing of personal data of the

complainant was carried out in compliance with Article 26 GDPR pursuant to Articles 5(1)(a),
5(2), and 24(1).


Additionally, the Danish DPA finds that it is unclear from the current arrangement concluded

between Boligportal and Meta Ireland as joint controllers pursuant to Article 26 GDPR whether
personal data of website visitors are processed by means located outside the EU/EEA includ-

ing, if applicable, by the use of processors outside the EU/EEA in with the context of processing
activities under the parties’ joint controllership and, consequently, which party is responsible

for complying with Article 44 GDPR.


As such, the Danish DPA considers that Boligportal has not, in general, demonstrated that its
current processing of personal data takes place in compliance with Articles 26 GDPR pursuant

to Articles 5(1)(a), 5(2), and 24(1) GDPR as Boligportal has not fully identified whether per-
sonal data of visitors to its website is processed by means located outside the EU/EEA and

where, including, if applicable, by the use of processors outside the EU/EEA in the context of
processing activities for which Boligportal and Meta Ireland are joint controllers.


On this basis, the Danish DPA orders Boligportal to bring its processing of personal data into
compliance with Articles 5(1)(a), 5(2), 24(1) and 26 GDPR and to be able to demonstrate com-

pliance with these provisions.


Boligportal shall comply with the order no later than 18 May 2023. The Danish DPA requests
confirmation and documentation that the order has been complied with no later than the same

date.


In the view of the Danish DPA, this order may inter alia be complied with by clarifying the
allocation of roles and responsibilities between Boligportal and Meta Ireland, so that it is ap-

parent from the arrangement between the parties whether personal data of website visitors in
the context of the joint controllership is processed by means located outside the EU/EEA in-

cluding, if applicable, by the use of processors outside the EU/EEA and, consequently, how
Article 44 GDPR is complied with as well as which party must ensure compliance with thatprovision. Alternatively, compliance with the order may be done by ceasing the processing             Page 23 of 26

activity in question.


The Danish DPA notes that the above-mentioned suggested solutions are not exclusive and
do not constitute the only options for how Boligportal may comply with the order. As the con-

troller, Boligportal has full freedom of choice in accordance with Articles 5(2) and 24(1) GDPR
as to how it demonstrates its compliance with the GDPR.


This order is notified pursuant to Article 58(2)(d) GDPR.


According to Section 41(2)(4) of the Danish Data Protection Act, a fine or imprisonment of up
to 6 months shall be imposed on persons who fail to comply with an order issued by the Danish

DPA pursuant to Article 58(2)(d) GDPR.


5. Final remarks
The Danish DPA regrets the lengthy consideration of the case and that Boligportal has not

been continuously informed of delays in reaching a decision, etc.


A copy of this decision will be forwarded to the complainant.


For completeness, the Danish DPA notes that the authority intends to publish this decision on
its website.


Kind regards









Annex:          Legal basis.                                                                                                       Page 24 of 26









Annex: Legal basis


Excerpts from Regulation (EU) 2016/679 of the European Parliament and of the Coun-

cil of 27 April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation)

                                            Chapter II

                                           Principles
                                             Article 5

                     Principles relating to processing of personal data
1. Personal data shall be:


     a)  processed lawfully fairly and in a transparent manner in relation to the data subject

         (‘lawfulness, fairness and transparency’);
     b)  collected for specified, explicit and legitimate purposes and not further processed in

         a manner that is incompatible with those purposes; further processing for archiving
         purposes in the public interest, scientific or historical research purposes or statistical

         purposes shall, in accordance with Article 89(1), not be considered to be incompati-
         ble with the initial purposes (‘purpose limitation’);
     c)  adequate, relevant and limited to what is necessary in relation to the purposes for

         which they are processed (‘data minimisation’);
     d)  accurate and, where necessary, kept up to date; every reasonable step must be

         taken to ensure that personal data that are inaccurate, having regard to the pur-
         poses for which they are processed, are erased or rectified without delay (‘accu-

         racy’);
     e)  kept in a form which permits identification of data subjects for no longer than is nec-

         essary for the purposes for which the personal data are processed; personal data
         may be stored for longer periods insofar as the personal data will be processed

         solely for archiving purposes in the public interest, scientific or historical research
         purposes or statistical purposes in accordance with Article 89(1) subject to imple-

         mentation of the appropriate technical and organisational measures required by this
         Regulation in order to safeguard the rights and freedoms of the data subject (‘stor-
         age limitation’);

     f)  processed in a manner that ensures appropriate security of the personal data, in-
         cluding protection against unauthorised or unlawful processing and against acci-

         dental loss, destruction or damage, using appropriate technical or organisational
         measures (‘integrity and confidentiality’).


2. The controller shall be responsible for, and be able to demonstrate compliance with, para-

graph 1 (‘accountability’).                                                                                                        Page 25 of 26










                                            Chapter IV
                                   Controller and processor

                                             Article 24
                                Responsibility of the controller
1. Taking into account the nature, scope, context and purposes of processing as well as the

risks of varying likelihood and severity for the rights and freedoms of natural persons, the con-
troller shall implement appropriate technical and organisational measures to ensure and to be

able to demonstrate that processing is performed in accordance with this Regulation. 2Those
measures shall be reviewed and updated where necessary.


2. Where proportionate in relation to processing activities, the measures referred to in para-

graph 1 shall include the implementation of appropriate data protection policies by the control-
ler.


3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification

mechanisms as referred to in Article 42 may be used as an element by which to demonstrate
compliance with the obligations of the controller.


                                             Article 26

                                        Joint controllers
1. Where two or more controllers jointly determine the purposes and means of processing,

they shall be joint controllers. They shall in a transparent manner determine their respective
responsibilities for compliance with the obligations under this Regulation, in particular as re-

gards the exercising of the rights of the data subject and their respective duties to provide
the information referred to in Articles 13 and 14, by means of an arrangement between them

unless, and in so far as, the respective responsibilities of the controllers are determined by
Union or Member State law to which the controllers are subject. The arrangement may des-

ignate a contact point for data subjects.

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and rela-

tionships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement
shall be made available to the data subject.


3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject

may exercise his or her rights under this Regulation in respect of and against each of the
controllers.





                                           CHAPTER V

       Transfers of personal data to third countries or international organisations
                                             Article 44

                                General principle for transfers
Any transfer of personal data which are undergoing processing or are intended for pro-

cessing after transfer to a third country or to an international organisation shall take placeonly if, subject to the other provisions of this Regulation, the conditions laid down in this             Page 26 of 26

Chapter are complied with by the controller and processor, including for onward transfers of
personal data from the third country or an international organisation to another third country

or to another international organisation. All provisions in this Chapter shall be applied in or-

der to ensure that the level of protection of natural persons guaranteed by this Regulation is
not undermined.